blocking rogue router advertisements on switches

Gavin McCullagh gavin.mccullagh at gcd.ie
Thu May 5 18:55:55 CEST 2011 

Hi,

we have rolled out IPv6 connectivity to our campus so students should all
use v6 where a AAAA is available.  Even if we hadn't, we'd probably still
be suffering from machines sending rogue router adverts, but such is life.

We had a similar situation some years ago with rogue DHCP servers.  The way
we addressed that was to first use a tcpdump one-liner to detect udp port
67 messages from wrong IP addresses and then to block messages with UDP
source port 67 on all user ports on our switches.  This might not be the
absolutely perfect approach, but we've found it to be pretty effective.  

An analogous approach for detecting rogue RAs, if I understand correctly is
to detect all icmp6 messages like this:

tcpdump <.....>  icmp6 and ip6[40] == 134 and src host not $ALLOWED_RA_SERVER

A typical captured frame looks something like

         0x0000:  3333 0000 0001 000e 0cb1 33a8 86dd 6000
         0x0010:  0000 0050 3aff fe80 0000 0000 0000 020e
         0x0020:  0cff feb1 33a8 ff02 0000 0000 0000 0000
         0x0030:  0000 0000 0001 8600 ff1d 4000 0000 0000
         0x0040:  0000 0000 0000 0304 40c0 0027 8d00 0009
          <snip>....

We use D-Link switches a fair bit which don't have IPv6 support per se, but
do have "packet content" filters (I think they may mean frame content).
I'm hoping to create a filter like this across all user ports:

# inspect the IP protocol field and the type
create access_profile packet_content_mask offset_16-31 0x0 0xff000000 0x0 0x0 offset_48-63 0x0 0x0000ff00 0x0 0x0  port 1-48 profile_id 2
# match ICMPv6 and router adverts 
config access_profile profile_id 2 add access_id 1 packet_content offset_16-31 0x0 0x3a000000 0x0 0x0 offset_48-63 0x0 0x00008600 0x0 0x0 deny

This results in a filter like this:

 ID  Mode
 --- ------ ----------------------------------------------------
 1   Deny   Offset 0-15  : 0x00000000 00000000 00000000 00000000
            Offset 16-31 : 0x00000000 3a000000 00000000 00000000
            Offset 32-47 : 0x00000000 00000000 00000000 00000000
            Offset 48-63 : 0x00000000 00008600 00000000 00000000
            Offset 64-79 : 0x00000000 00000000 00000000 00000000

I can test and make sure that this will prevent the rogue RAs, but I'm
slightly concerned in case my filter is too general and I block something I
shouldn't.

Does anyone know if this is a safe approach to the problem or am I going to
end up blocking some key traffic?

Thanks in advance for any insight,

Gavin

More information about the ipv6-ops mailing list